An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Manager Sarbanes-Oxley Act (404) An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Manager May 23, 2019

404 IT Agenda Section 404: Overview and Impact IT Controls Overview 404 IT Focus Significant Accounts and Processes IT Documentation Considerations Identifying Possible IT Errors Identifying Relevant IT Controls 404 IT Viewpoint Summary Open Discussion May 23, 2019

Overview of Section 404 Internal Control Evaluation and Reporting Sarbanes-Oxley Act Language Excerpt “…each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer.” Background on Standards PCAOB Standards Language Excerpt “The bottom line for Congress, and for the PCAOB, is the reliability of the company's financial statements – statements relied on by shareholders, management, directors, regulators, lenders, investors and the market at large.” May 23, 2019

Overview of Section 404 Two Attestations Compliance Deadline Financial Statement Opinion Internal Control Opinion Compliance Deadline Accelerated Filers November 15, 2004 Others (ie, Market Cap.<$75M) July 15, 2005 May 23, 2019

IT Controls Overview Standards and Guidance Entity Level Controls General Controls Application Controls May 23, 2019

Standards and Guidance IT Controls Overview Standards and Guidance PCAOB Internal Control Standards Issued March 9, 2004 Based on COSO AICPA SAS 94 – “The effect of IT on internal control in a financial statement audit.” IT Governance Institute Guidance on IT Related Controls Specific to 404 Based on COBIT May 23, 2019

IT Controls Overview Entity Level Controls General Controls 404 requires an assessment at the following levels of controls: Entity Level Controls Strategic Planning Organizational Structure Policies and Procedures Risk Assessment Third Party Management General Controls Logical Access Program Change Program Development Computer Operations Application Level Controls Input Transmission Processing / Recording Output / Reporting May 23, 2019

404 IT Focus Significant Accounts and Processes Virtually every process is IT dependent in some form or fashion Transaction flows are typically automated Management often relies on programmed controls for routine and non-routine processes Estimation processes are normally dependent on IT generated data elements May 23, 2019

404 IT Focus IT Documentation Considerations Should describe flow of transaction initiation, recording, processing and reporting Flowcharts, diagrams and narratives Level of required system and control documentation dependent on: Number of businesses / locations Degree of IT centralization Nature / complexity of transactions Degree of management reliance on IT systems May 23, 2019

404 IT Focus Identifying Possible IT Errors Errors that individually or collectively could have a material effect on the financial statements Root cause for errors include: Integrity of major input sources Significant processing procedures Access to important data files Erroneous factors and assumptions Competency of personnel Functional segregation of duties May 23, 2019

404 IT Focus Identifying Relevant IT Controls Should involve a collaboration with process owners and knowledgeable IT personnel Automated application controls System generated information IT general controls May 23, 2019

Impact of Section 404 Compliance costs in the tens of billions Average audit fee increase 25-50% Substantial and direct impact to information systems and related environments Creation of specific 404 job positions Impact from disclosure of material weaknesses unknown May 23, 2019

404 IT Viewpoint Summary of Findings IT has been an integral part of the evaluation process. Organizations are taking advantage of new ERP implementations to also meet SOX requirements. IT functions that are segregated across multiple locations have been using a “teaming” and sometimes automated approach to document controls. Organizations are looking to streamline and improve IT processes as a result of the documentation effort. Organizations have placed heavy reliance on manual controls. As a result, application controls are not effectively used. May 23, 2019

404 IT Viewpoint Summary of Findings Focus has been on key and selective IT controls to be used for testing. Organizations without proper IT audit experience and knowledge appear to have developed “inadequate” documentation. Documentation has been in narrative format vs flowcharts to save time and effort. IT documentation has been kept separate from the manual / financial process documentation. May 23, 2019

404 IT Viewpoint Challenges Organizations who require IT assistance have had difficulty finding resources internally or externally. Resources are extremely scarce! Determining what and how much to document are key areas of concerns. Integrating the IT documentation within the manual / financial process documentation is difficult. Coordination and documentation efforts for decentralized IT operations is challenging. Organizations don’t have access to automated tools to efficiently analyze application controls. May 23, 2019

404 IT Viewpoint Leading Practices Include IT executives on project team. Hire or engage qualified IT auditors. Consider COBIT standards as a baseline for consideration of IT controls. Use automated tools to analyze financial applications. Documentation should describe flow of transaction initiation, recording, processing and reporting Consider documenting controls in the form of flowcharts rather than narratives, or a combination of the two. May 23, 2019

404 IT Viewpoint Leading Practices Consider standard surveys and questionnaires for organizations with decentralized IT operations. Validate and test only those IT controls considered critical and key to the financial process. Meet with your external auditor frequently to obtain “buy-in”. Consider using application controls to reduce dependence on manual controls May 23, 2019

Summary Key Things to Remember about 404 from an IT Perspective: Controls help to maintain the integrity of business processes, including financial reporting Information systems play a key role in these processes Stronger control environments will reduce the likelihood of another Enron or Worldcom 404 requires extensive documentation May 23, 2019

Thanks For Listening! Questions / Answers May 23, 2019